From 5564251aaca45997397f2b14a18451f6e116eb0e Mon Sep 17 00:00:00 2001
From: Michel Weststrate <mweststrate@fb.com>
Date: Mon, 13 Dec 2021 05:46:42 -0800
Subject: [PATCH] Make sure only requests from own host & port are accepted for
 now

Summary: Make sure the flipper server socket only accepts local connections

Reviewed By: aigoncharov

Differential Revision: D33020251

fbshipit-source-id: 53e95e4871a45f3a3fa14f999499568a5a6b4995
---
 desktop/flipper-server/src/startBaseServer.tsx | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/desktop/flipper-server/src/startBaseServer.tsx b/desktop/flipper-server/src/startBaseServer.tsx
index 666128947..8281f059a 100644
--- a/desktop/flipper-server/src/startBaseServer.tsx
+++ b/desktop/flipper-server/src/startBaseServer.tsx
@@ -26,7 +26,7 @@ export async function startBaseServer(config: Config): Promise<{
   socket: socketio.Server;
 }> {
   const {app, server} = await startAssetServer(config);
-  const socket = addWebsocket(server);
+  const socket = addWebsocket(server, config);
   return {
     app,
     server,
@@ -61,9 +61,21 @@ function startAssetServer(
   });
 }
 
-function addWebsocket(server: http.Server) {
+function addWebsocket(server: http.Server, config: Config) {
+  const validHost = `localhost:${config.port}`;
   const io = new socketio.Server(server, {
     maxHttpBufferSize: WEBSOCKET_MAX_MESSAGE_SIZE,
+    allowRequest(req, callback) {
+      const noOriginHeader = req.headers.origin === undefined;
+      if (noOriginHeader && req.headers.host === validHost) {
+        callback(null, true);
+      } else {
+        console.warn(
+          `Refused sockect connection from cross domain request, origin: ${req.headers.origin}, host: ${req.headers.host}. Expected: ${validHost}`,
+        );
+        callback(null, false);
+      }
+    },
   });
   return io;
 }